Journalists and dissidents involved in Chinese affairs are accustomed to every so often receiving a pop-up banner on their Gmail from Google informing them that “state-sponsored attackers” may have been attempting to gain access to their accounts. To guard against such intrusions, Google suggests signing up for its Advanced Protection Program.

The Advanced Protection Program involves using a pair of security keys that can be purchased on Amazon. The problem? Google recommends a product — the Feitian MultiPass FIDO Security Key — manufactured in China, by a Chinese company that is part of an “IT-Military Alliance” with the People’s Liberation Army (PLA). Its chief of research and development of over 16 years is a former member of the PLA. And it does the vast majority of its business selling security hardware to Chinese state banks.

Google unveiled its Advanced Protection Program in October 2017 as reported by The New York Times. But the report did not explore the extensive relationships between the Chinese supplier, Beijing Feitian Chengxin Technology Co., Ltd., and the Chinese government.

Security keys like the Feitian MultiPass are an implementation of public key cryptography — the most well known version of which is PGP (Pretty Good Privacy) — in hardware form. They are a form of two-factor authentication that allow an individual with the key and the password to access an account; if either is missing, access is denied. The introduction of hardware to the security equation makes access safe from phishing, social engineering, and even attacks on cell phones that intercept temporary security keys sent via SMS.

It is unclear how feasible it may be for Chinese intelligence and military actors to install a backdoor in or otherwise compromise the hardware. But if the hardware manufacturer is mobbed up with one of the most sophisticated offensive cyber actors in the world, the “world’s worst abuser of internet freedom” according to Freedom House, and a country where a private company can never say no to government demand, the question arises: Can it be safe?

China Change examined security filings, advertisements, periodicals, and media reports to build a mosaic of the interlocking relationships between Chinese state organs and Feitian Chengxin (飞天诚信股份有限公司). The image that emerges does not appear encouraging for the computer security of Chinese dissidents and others who may be using the product.

Company founding

Feitian was set up by four friends, three of whom were 1992 computer science graduates of Northern Jiaotong University (now Beijing Jiaotong University 北京交通大学): among them Huang Yu (黄煜), the current chairman, Li Wei (李伟), the general manager, and Lu Zhou (陆舟) their chief engineer.[1] Han Xuefeng (韩雪峰), a middle-school friend of Huang Yu, was recruited from a computer job in the Ministry of Railways to form the company with them. The four continue to own the majority of the company’s shares.[2]

The four founders of the company after it went public on the Shenzhen Stock Exchange on June 26, 2014. Huang Yu and Li Wei (in that order) are on the right, while Lu Zhou and Han Xuefeng stand on the left.

The company was founded in 1998 at the beginning of a technology and internet boom in China. It has since become “the No.1 supplier of user authentication and transaction security for China Online Banking,” according to its website, employing 850 staff and serving thousands of businesses in 100 countries.[3]

As Feitian grew, so too did its ties to official China. By 2015, the conference room in its main Beijing campus had a wall full of awards and certifications from Chinese government departments.[4]

Dominance in the state bank market

The foundation of Feitian’s business in China has been in providing security fobs to state banks.

Lucrative contracts with the Industrial and Commercial Bank of China (the country’s largest) and China Merchants Bank were its first major orders in 2003, though it sat lower down in the food chain at that point, only able to operate as the original equipment manufacturer (OEM) for another brand.

Later the company was certified by the People’s Bank of China, China’s central bank,[5] and by 2005 was doing business with banks directly — including China CITIC Bank — not merely as an OEM.[6]

By 2014, 85% of the company’s revenue was coming from state banks, and Feitian was among the top three such vendors by revenue in the country.[7]

State information security a ‘precious business opportunity’

In 2003 the company joined the “IT-Military Alliance” (计算机世界科技拥军联盟) upon its founding. The event was hosted by the Network Infrastructure Department of the PLA’s General Armaments Department, along with other official organizations.

Only 12 companies formed the IT-Military Alliance. The founding ceremony was marketed as an opportunity for industry to present tribute to the PLA in celebration of the 76th year since its founding. Feitian notes on its website that “the head of the General Armaments Department expressed a deep interest in Feitian’s products,” and that “Feitian will inevitably provide earnest service to the giant military market under the grand strategy of ‘civil-military integration,’ and thus do our bit to help the construction of the nation’s informatized defensive infrastructure!”[8]

“In Earnest Celebration of the 76th Anniversary of the Founding of the People’s Liberation Army — Ceremony for the Founding of the IT-Military Alliance.” The event was part of Jiang Zemin’s push for “informatization” (信息化) of the PLA.

Though it is unclear when in 2003 Feitian won its first contract with ICBC, it is difficult not to imagine that its involvement with the PLA — irresistible though it may have been — helped in forging such relationships. Its approval and verification by the State Cryptography Administration in 2004 was also flagged as a “key milestone.”[9]

Already successful with banks in 2003, Feitian’s chief of research and development told the media in 2003 that the next areas of growth would be military and departments and offices for classified information (机要部门).[10]

The logic was obvious to Feitian executives: “As government procurement strengthens and priority is given to domestic products, our country’s state information security will be pushed forward considerably, and this is a precious business opportunity for the vast field of security companies.”[11]

It is difficult to find public information on the extent of that line of business. The company’s technology has however been certified as “military-use information security products.”[12]

In 2006, the company was awarded over one million yuan from a fund for new technology set up by China’s Ministry of Science and Technology. “This is the country’s strong affirmation of Feitian Co., and a thorough recognition of its technological prowess, project management capacity, and reputation,” said an announcement in the scientific press at the time.[13] Later in the year the company’s tech was declared “A New Important National Product” (国家重点新产品) by a number of government departments.[14]

From 2007 onwards, Feitian was selected to provide a smart card identity recognition system (智能网络身份认证系统) as part of the Torch Program,[15] China’s national plan to develop its high-technology industrial base.[16]

The company is part of a Smartcard Intellectual Property Alliance, a kind of government-industry group associated with the Beijing Municipal Intellectual Property Rights Bureau. A member of the Bureau’s Party Group (党组) presided over the alliance’s founding ceremony, on the basis that “the smartcard security industry concerns national information security and is an area of high-technology strongly supported by Beijing.”[17]

An example of one of Feitian’s security key products sold to banks in China, the ePass2000Auto LE.

Since 2009 Feitian has been listed in numerous databases maintained by the Ministry of Public Security among the accepted providers of identity recognition systems.[18] The list contains only Chinese companies trusted by the state, among them Huawei.

The company has also be the recipient of praise from former vice minister of Public Security Chen Zhimin (陈智敏) and other public and information security cadres, who are said to have expressed “excellent regard” for the company’s security management, and identification security.[19]

Perhaps most notably, since 2002 its research and development chief has been Yu Huazhang (于华章), a graduate of the PLA’s Information Engineering University and for the first seven years of his career an assistant researcher in the PLA’s General Staff Department. In April 2010, he became a 1% shareholder in the company. He is also a vice general manager.

The company and its key engineers won third prize (among many others) in the 2014 Beijing Municipal Technology Awards for “Application and operating system research and development for a chip in a visible-button smart security card” (可视按键型智能密码钥匙片内操作系统研发与应用) which sounds similar to the product being vended for Google’s enhanced security.[20]

Then there are the numerous exhibitions of official fealty on Feitian’s website, each not particularly significant taken on its own, but as a collection making clear that the company knows which way the wind blows. As a matter of routine, Feitian engages in activities like the following:

Hosting workshops for Chinese academicians to explicate the “spirit” of a series of Xi Jinping’s important speeches in order to “implement and carry out” the political directives resultant from the 18th Party Congress;[21]

The company has been relatively profitable. Within its first year or so it had booked five million yuan in revenue, at gross profit of nearly 50%; by 2014 when it went public on the Shenzhen Stock Exchange its revenues were just over one billion yuan, 250 million yuan profit. (Its stock has been cut nearly in half since April 2018, however, due to “an inexplicable explosion in all manner of costs.”) In 2003 it occupied around 50% of the market for USB security keys, a dominance that it has likely grown since.[24]

Li Jinai (fifth from left), the former secretary of the PLA General Armaments Department and a member of the Central Military Commission, stands next to Feitian’s chairman Huang Yu (fifth from right), at a ceremony marking an alliance between the PLA and the IT industry in 2003.

The company has sought to expand overseas for at least a decade, in 2007 noting on its website that “Feitian’s ePass identification authentication products have been adopted by governments, banks, and others around the world. We have won a strong reputation as an independent Chinese company with our own intellectual property striding onto the world stage in information security.”

It is difficult to gather data on the extent of those expansion efforts — though the recommendation by Google speaks well to at least a partial success.

But does this compromise user security?

It goes without saying that almost everything we have documented above is simply part and parcel of Chinese companies doing business in China — in particular in a sensitive sector like information and network security, and especially when doing large business with state banks. When the PLA invites your company to join in the “earnest celebration” of its anniversary, present gifts, and join its industrial “alliance,” you don’t respectfully decline.

The same would obtain if the company were ever approached by military or civilian intelligence and instructed to install backdoors in its security fobs, according to Tom Uren, a visiting fellow in the International Cyber Policy Centre at the Australian Strategic Policy Institute.

“Companies in China aren’t able to refuse to engage in intelligence activities. This is laid out very clearly in Article 7 of China’s new 2017 National Intelligence Law,” Uren wrote in an email.

The lawstates: “All organizations and citizens shall, in accordance with the law, support, cooperate with, and collaborate in national intelligence work, and guard the secrecy of national intelligence work they are aware of. The state will protect individuals and organizations that support, cooperate with, and collaborate in national intelligence work.”

Feitian’s chairman Huang Yu sits at his desk. The text says: “Feitian Chengxin: The Chinese Face That Appeared Eight Times at the RSA Conference.” (Source: 李玲玲. 飞天诚信:八次现身RSA大会的中国面孔. 软件世界杂志 2011(4). 60-61.

A Chinese information security business has no choice in the matter. The question then becomes how feasible it is for the security device to be weakened or tampered with. At the very least, there is an obvious opportunity at the level of firmware — the software layer coded into a device that controls its hardware — for an adversary to create mischief.

“The firmware matters a lot, and that looks like why Google is planning to replace the firmware on their whitelabeled Feitian keys,” says Dan Guido, CEO of Trail of Bits, a New York-based computer security firm.

This refers to Google’s ‘Titan’ security keys, which appear to be Feitian hardware with Google’s own firmware. On its Advanced Protection Program page, however, Google links users directly to Feitian’s own website, not to the Titan keys with Google’s own firmware.

“Attackers will tend to use the easiest method to achieve their goals,” says Tom Uren. “Is compromising the Feitian security key supply chain the easiest way? Maybe. Phishing is certainly the easiest/cheapest way to hack data currently and security keys significantly reduce its effectiveness. It will certainly be an avenue that Chinese intelligence would have to consider if security keys are widely used by people of interest to them.”

The means by which attackers could gain unauthorized access through the keys are potentially numerous, including complex methods of introducing flaws in the cryptography or its implementation. Markus Vervier, a computer security researcher, has documented vulnerabilities in some implementations of U2F (universal two factor authentication). His work was not in reference to Feitian.

Yubico, a Swedish-founded company and Google’s other suggested vendor of U2F products, seems to have previously made a veiled suggestion as to the potential vulnerability of its competitor. CEO Stina Ehrensvard wrote on the company’s blog: “Yubico strongly believes there are security and privacy benefits for our customers by manufacturing and programming our products in the USA and Sweden.” The company declined to comment for this article.

Google did not respond to a request for comment. The FIDO Alliance, an organization that certifies hardware (and which has certified Feitian) for implementing the security protocols used in U2F products, did not respond to a request for comment. Feitian did not respond to a request for comment.

One security researcher refused to comment because it’s “obvious” that backdoors could be put into hardware at the manufacturing stage, and his team didn’t want to single out any particular country.

Perhaps the simplest test of the security of the Feitian keys is a gut check: would security experts themselves use them?

At China Change, a few dedicated staff on a shoe string budget bring you information and produce videos about human rights, rule of law, and civil society in China. We want to help you understand aspects of China’s political landscape that are the most censored and least understood. We are a 501(c)(3) organization, and your contribution is tax-deductible. For offline donation, check our “Become a Benefactor” page. Thank you.

16 Comments

[…] As reported by human rights outfit and news outlet China Change, which is part of the Human Rights Archive at Columbia University, in 2003, the company joined the “IT-Military Alliance” (计算机世界科技拥军联盟), made up of 12 companies in total. A document viewed by ZDNet verified the findings. […]

[…] As reported by human rights outfit and news outlet China Change, which is part of the Human Rights Archive at Columbia University, in 2003, the company joined the “IT-Military Alliance” (计算机世界科技拥军联盟), made up of 12 companies in total. A document viewed by ZDNet verified the findings. […]

[…] As reported by human rights outfit and news outlet China Change, which is part of the Human Rights Archive at Columbia University, in 2003, the company joined the “IT-Military Alliance” (计算机世界科技拥军联盟), made up of 12 companies in total. A document viewed by ZDNet verified the findings. […]

[…] As reported by human rights outfit and news outlet China Change, which is part of the Human Rights Archive at Columbia University, in 2003, the company joined the “IT-Military Alliance” (计算机世界科技拥军联盟), made up of 12 companies in total. A document viewed by ZDNet verified the findings. […]

[…] As reported by human rights outfit and news outlet China Change, which is part of the Human Rights Archive at Columbia University, in 2003, the company joined the “IT-Military Alliance” (计算机世界科技拥军联盟), made up of 12 companies in total. A document viewed by ZDNet verified the findings. […]

[…] As reported by human rights outfit and news outlet China Change, which is part of the Human Rights Archive at Columbia University, in 2003, the company joined the “IT-Military Alliance” (计算机世界科技拥军联盟), made up of 12 companies in total. A document viewed by ZDNet verified the findings. […]

[…] As reported by human rights outfit and news outlet China Change, which is part of the Human Rights Archive at Columbia University, in 2003, the company joined the “IT-Military Alliance” (计算机世界科技拥军联盟), made up of 12 companies in total. A document viewed by ZDNet verified the findings. […]

[…] As reported by human rights outfit and news outlet China Change, which is part of the Human Rights Archive at Columbia University, in 2003, the company joined the “IT-Military Alliance” (计算机世界科技拥军联盟), made up of 12 companies in total. A document viewed by ZDNet verified the findings. […]

[…] As reported by human rights outfit and news outlet China Change, which is part of the Human Rights Archive at Columbia University, in 2003, the company joined the “IT-Military Alliance” (计算机世界科技拥军联盟), made up of 12 companies in total. A document viewed by ZDNet verified the findings. […]

[…] As reported by way of human rights outfit and information outlet China Change, which is a part of the Human Rights Archive at Columbia University, in 2003, the corporate joined the “IT-Military Alliance” (计算机世界科技拥军联盟), made up of 12 firms in overall. A file considered by way of ZDNet verified the findings. […]

[…] As reported by human rights outfit and news outlet China Change, which is part of the Human Rights Archive at Columbia University, in 2003, the company joined the “IT-Military Alliance” (计算机世界科技拥军联盟), made up of 12 companies in total. A document viewed by ZDNet verified the findings. […]

[…] As reported by human rights outfit and news outlet China Change, which is part of the Human Rights Archive at Columbia University, in 2003, the company joined the “IT-Military Alliance” (计算机世界科技拥军联盟), made up of 12 companies in total. A document viewed by ZDNet verified the findings. […]

[…] As reported by human rights outfit and news outlet China Change, which is part of the Human Rights Archive at Columbia University, in 2003, the company joined the “IT-Military Alliance” (计算机世界科技拥军联盟), made up of 12 companies in total. A document viewed by ZDNet verified the findings. […]

[…] As reported by human rights outfit and news outlet China Change, which is part of the Human Rights Archive at Columbia University, in 2003, the company joined the “IT-Military Alliance” (计算机世界科技拥军联盟), made up of 12 companies in total. A document viewed by ZDNet verified the findings. […]